On Tue, Nov 29, 2005 at 02:20:55PM +0100, Florian Weimer wrote:
> * Anthony Towns:
> > On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote:
> >> In terms of security, there are some better hash functions.
> >
> > My understanding was that there aren't other hash functions that've had
> > remotely similar levels of cryptographic analysis to md5 and sha.
>
> Neither MD5 nor SHA1 have received much public scrutiny. Dobertin's
> work on MD5 has never been fully published. I've already joked that
> the difference between Wang et al. and European or U.S. cryptographers
> is that the Chinese government doesn't tell their researchers not to
> publish their results. 8-P
>
> > IIRC, the elliptic curve cryptography stuff was supposed to be
> > similarly neat, until people started analysing it seriously, at
> > which point it broke.
>
> The NSA has recently licensed ECC patents from Certicom.
>
> There are weak elliptic curves as far as cryptography is concerned,
> but there are also others: inefficient ones and those which have been
> patented by Certicom.
A cryptographer friend of mine recently attended the NIST Hallowe'en
Hash Bash (http://www.csrc.nist.gov/pki/HashWorkshop/index.html), and
made a few notes in his blog:
http://www.livejournal.com/users/sevenstring/7326.html
His suggestion there was "stick to SHA2 (or maybe Whirlpool) for now".
Did anyone else here attend this workshop?
That said, I suspect that any "my favourite algorithm" argument is going
to get horribly bogged down in bikeshedding. As long as we don't fall
into the multicollisions trap of spending more and more CPU time
generating and checking more and more iterative hash functions that
don't actually add significant collision-resistance when you check them
all together, a generalised checksumming tool as proposed seems an
obviously sensible and desirable thing to have.
--
Colin Watson [cjwatson@debian.org]